<!DOCTYPE html>
<html lang="zh-cn" color-mode="light">

  <head>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1" />
  <meta name="keywords" content="" />
  <meta name="author" content="郁涛丶" />
  <meta name="description" content="" />
  
  
  <title>
    
      NTLM认证 
      
      
      |
    
     郁涛丶&#39;s Blog
  </title>

  
    <link rel="apple-touch-icon" href="/images/favicon.png">
    <link rel="icon" href="/images/favicon.png">
  

  <!-- Raleway-Font -->
  <link href="https://fonts.googleapis.com/css?family=Raleway&display=swap" rel="stylesheet">

  <!-- hexo site css -->
  
<link rel="stylesheet" href="/css/color-scheme.css">
<link rel="stylesheet" href="/css/base.css">
<link rel="stylesheet" href="//at.alicdn.com/t/font_1886449_67xjft27j1l.css">
<link rel="stylesheet" href="/css/github-markdown.css">
<link rel="stylesheet" href="/css/highlight.css">
<link rel="stylesheet" href="/css/comments.css">

  <!-- 代码块风格 -->
  
    
<link rel="stylesheet" href="/css/figcaption/mac-block.css">

  

  <!-- jquery3.3.1 -->
  
    <script defer type="text/javascript" src="/plugins/jquery.min.js"></script>
  

  <!-- fancybox -->
  
    <link href="/plugins/jquery.fancybox.min.css" rel="stylesheet">
    <script defer type="text/javascript" src="/plugins/jquery.fancybox.min.js"></script>
  
  
<script src="/js/fancybox.js"></script>


  

  <script>
    var html = document.documentElement
    const colorMode = localStorage.getItem('color-mode')
    if (colorMode) {
      document.documentElement.setAttribute('color-mode', colorMode)
    }
  </script>
<!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.12.0/dist/katex.min.css">

<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hexo-math@4.0.0/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.0"><link rel="alternate" href="/atom.xml" title="郁涛丶's Blog" type="application/atom+xml">
</head>


  <body>
    <div id="app">
      <div class="header">
  <div class="avatar">
    <a href="/">
      <!-- 头像取消懒加载，添加no-lazy -->
      
        <img src="/images/avatar.png" alt="">
      
    </a>
    <div class="nickname"><a href="/">Ghostasky</a></div>
  </div>
  <div class="navbar">
    <ul>
      
        <li class="nav-item" data-path="/">
          <a href="/">Home</a>
        </li>
      
        <li class="nav-item" data-path="/archives/">
          <a href="/archives/">Archives</a>
        </li>
      
        <li class="nav-item" data-path="/categories/">
          <a href="/categories/">Categories</a>
        </li>
      
        <li class="nav-item" data-path="/tags/">
          <a href="/tags/">Tags</a>
        </li>
      
        <li class="nav-item" data-path="/about/">
          <a href="/about/">About</a>
        </li>
      
    </ul>
  </div>
</div>


<script src="/js/activeNav.js"></script>



      <div class="flex-container">
        <!-- 文章详情页，展示文章具体内容，url形式：https://yoursite/文章标题/ -->
<!-- 同时为「标签tag」，「朋友friend」，「分类categories」，「关于about」页面的承载页面，具体展示取决于page.type -->


    <!-- LaTex Display -->

  
    <script async type="text/javascript" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-chtml.js"></script>
  
  <script>
    MathJax = {
      tex: {
        inlineMath: [['$', '$'], ['\\(', '\\)']]
      }
    }
  </script>


        
            
                <!-- clipboard -->

  
    <script async type="text/javascript" src="/plugins/clipboard.min.js"></script>
  
  
<script src="/js/codeCopy.js"></script>



                    
                        
                                
                                        
                                                
                                                        
                                                            <!-- 文章内容页 url形式：https://yoursite/文章标题/ -->
                                                            <div class="container post-details" id="post-details">
                                                                <div class="post-content">
                                                                    <div class="post-title">
                                                                        NTLM认证
                                                                    </div>
                                                                    <div class="post-attach">
                                                                        <span class="post-pubtime">
        <i class="iconfont icon-updatetime" title="Update time"></i>
        2022-05-23
      </span>

                                                                        <span class="post-pubtime"> 本文共3k字 </span>

                                                                        <span class="post-pubtime">
        大约需要17min
      </span>

                                                                        
                                                                                    <span class="post-categories">
        <i class="iconfont icon-bookmark" title="Categories"></i>
        
        <span class="span--category">
          <a href="/categories/Technology/" title="Technology">
            <b>#</b> Technology
          </a>
        </span>
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            <span class="post-tags">
        <i class="iconfont icon-tags" title="Tags"></i>
        
        <span class="span--tag">
          <a href="/tags/%E5%86%85%E7%BD%91/" title="内网">
            <b>#</b> 内网
          </a>
        </span>
                                                                            
                                                                                </span>
                                                                                
                                                                    </div>
                                                                    <div class="markdown-body">
                                                                        <p>[toc]</p>
<p>NTLM的东西在github之前写过，但是不够详细，这里重新再过一遍。</p>
<p>NTLM使用在Windows的工作组环境中，而kerberos则使用在域的情况下。</p>
<h1 id="LM-hash-amp-NTLM-hash"><a href="#LM-hash-amp-NTLM-hash" class="headerlink" title="LM hash &amp; NTLM hash"></a>LM hash &amp; NTLM hash</h1><p>在写NTLM认证之前先写下LM和NTLM。</p>
<p>hash密码格式：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::</span><br><span class="line">用户名:SID:LM-Hash:NTML-Hash:::</span><br></pre></td></tr></table></figure>

<h2 id="LM-Hash"><a href="#LM-Hash" class="headerlink" title="LM Hash"></a>LM Hash</h2><p>全称LAN Manager Hash, windows最早使用的加密算法。</p>
<p>LM Hash计算步骤：</p>
<ol>
<li>密码全部转换为大写，转换为16进制，14字节，不足用0补全。</li>
<li>分成两个7字节，每部分为56bit</li>
<li>每7bit分组，在后面加一个0bit，即每组8bit</li>
<li>上述两组，使用DES分别加密，key为：<code>KGS!@#$%</code></li>
<li>完成后，两组拼接，得到LM Hash</li>
</ol>
<p>代码实现：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line"><span class="keyword">from</span> pyDes <span class="keyword">import</span> *</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">DesEncrypt</span>(<span class="params"><span class="built_in">str</span>, Des_Key</span>):</span></span><br><span class="line">    k = des(binascii.a2b_hex(Des_Key), ECB, pad=<span class="literal">None</span>)</span><br><span class="line">    EncryptStr = k.encrypt(<span class="built_in">str</span>)</span><br><span class="line">    <span class="keyword">return</span> binascii.b2a_hex(EncryptStr)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">group_just</span>(<span class="params">length,text</span>):</span></span><br><span class="line">    <span class="comment"># text 00110001001100100011001100110100001101010011011000000000</span></span><br><span class="line">    text_area = re.findall(<span class="string">r&#x27;.&#123;%d&#125;&#x27;</span> % <span class="built_in">int</span>(length), text) <span class="comment"># [&#x27;0011000&#x27;, &#x27;1001100&#x27;, &#x27;1000110&#x27;, &#x27;0110011&#x27;, &#x27;0100001&#x27;, &#x27;1010100&#x27;, &#x27;1101100&#x27;, &#x27;0000000&#x27;]</span></span><br><span class="line">    text_area_padding = [i + <span class="string">&#x27;0&#x27;</span> <span class="keyword">for</span> i <span class="keyword">in</span> text_area] <span class="comment">#[&#x27;00110000&#x27;, &#x27;10011000&#x27;, &#x27;10001100&#x27;, &#x27;01100110&#x27;, &#x27;01000010&#x27;, &#x27;10101000&#x27;, &#x27;11011000&#x27;, &#x27;00000000&#x27;]</span></span><br><span class="line">    hex_str = <span class="string">&#x27;&#x27;</span>.join(text_area_padding) <span class="comment"># 0011000010011000100011000110011001000010101010001101100000000000</span></span><br><span class="line">    hex_int = <span class="built_in">hex</span>(<span class="built_in">int</span>(hex_str, <span class="number">2</span>))[<span class="number">2</span>:].rstrip(<span class="string">&quot;L&quot;</span>) <span class="comment">#30988c6642a8d800</span></span><br><span class="line">    <span class="keyword">if</span> hex_int == <span class="string">&#x27;0&#x27;</span>:</span><br><span class="line">        hex_int = <span class="string">&#x27;0000000000000000&#x27;</span></span><br><span class="line">    <span class="keyword">return</span> hex_int</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">lm_hash</span>(<span class="params">password</span>):</span></span><br><span class="line">    <span class="comment"># 1. 用户的密码转换为大写，密码转换为16进制字符串，不足14字节将会用0来再后面补全。</span></span><br><span class="line">    pass_hex = password.upper().encode(<span class="string">&quot;hex&quot;</span>).ljust(<span class="number">28</span>,<span class="string">&#x27;0&#x27;</span>) <span class="comment">#3132333435360000000000000000</span></span><br><span class="line">    <span class="built_in">print</span>(pass_hex) </span><br><span class="line">    <span class="comment"># 2. 密码的16进制字符串被分成两个7byte部分。每部分转换成比特流，并且长度位56bit，长度不足使用0在左边补齐长度</span></span><br><span class="line">    left_str = pass_hex[:<span class="number">14</span>] <span class="comment">#31323334353600</span></span><br><span class="line">    right_str = pass_hex[<span class="number">14</span>:] <span class="comment">#00000000000000</span></span><br><span class="line">    left_stream = <span class="built_in">bin</span>(<span class="built_in">int</span>(left_str, <span class="number">16</span>)).lstrip(<span class="string">&#x27;0b&#x27;</span>).rjust(<span class="number">56</span>, <span class="string">&#x27;0&#x27;</span>) <span class="comment"># 00110001001100100011001100110100001101010011011000000000</span></span><br><span class="line">    right_stream = <span class="built_in">bin</span>(<span class="built_in">int</span>(right_str, <span class="number">16</span>)).lstrip(<span class="string">&#x27;0b&#x27;</span>).rjust(<span class="number">56</span>, <span class="string">&#x27;0&#x27;</span>) <span class="comment"># 00000000000000000000000000000000000000000000000000000000</span></span><br><span class="line">    <span class="comment"># 3. 再分7bit为一组,每组末尾加0，再组成一组</span></span><br><span class="line">    left_stream = group_just(<span class="number">7</span>,left_stream) <span class="comment"># 30988c6642a8d800</span></span><br><span class="line">    right_stream = group_just(<span class="number">7</span>,right_stream) <span class="comment"># 0000000000000000</span></span><br><span class="line">    <span class="comment"># 4. 上步骤得到的二组，分别作为key 为 &quot;KGS!@#$%&quot;进行DES加密。</span></span><br><span class="line">    left_lm = DesEncrypt(<span class="string">&#x27;KGS!@#$%&#x27;</span>,left_stream) <span class="comment">#44efce164ab921ca</span></span><br><span class="line">    right_lm = DesEncrypt(<span class="string">&#x27;KGS!@#$%&#x27;</span>,right_stream) <span class="comment"># aad3b435b51404ee</span></span><br><span class="line">    <span class="comment"># 5. 将加密后的两组拼接在一起，得到最终LM HASH值。</span></span><br><span class="line">    <span class="keyword">return</span> left_lm + right_lm</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>:</span><br><span class="line">    <span class="built_in">hash</span> = lm_hash(<span class="string">&quot;aaaaa&quot;</span>)</span><br></pre></td></tr></table></figure>

<p>上述LM Hash有一些问题：</p>
<ol>
<li>密码长度不超过14字节</li>
<li>不区分大小写</li>
<li>长度小于7位的话，后半部分唯一确定:<code>aad3b435b51404ee</code></li>
<li>14字节转化为2*7，降低了复杂度，即7字节DES的2倍</li>
<li>DES强度低</li>
<li>key固定</li>
</ol>
<h2 id="NTLM-Hash"><a href="#NTLM-Hash" class="headerlink" title="NTLM Hash"></a>NTLM Hash</h2><p>为解决上述问题，微软在1993年的Windows NT 3.1引入NTLM Hash，下面为各Windows对LM和NTLM的支持：</p>
<table>
<thead>
<tr>
<th></th>
<th>2000</th>
<th>XP</th>
<th>2003</th>
<th>Vista</th>
<th>Win7</th>
<th>2008</th>
<th>Win8</th>
<th>2012</th>
</tr>
</thead>
<tbody><tr>
<td>LM</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>NTLM</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
</tr>
</tbody></table>
<p>其中，在Win 2000&#x2F;XP&#x2F;2003中，长度不超过14的话，依旧使用LM，超过的话使用NTLM。</p>
<p>在Vista开始，默认只存储NTLM Hash，不存LM Hash(LM Hash固定<code>AAD3B435B51404EEAAD3B435B51404EE</code>，NULL之后运算的结果)，有些工具的格式固定，需要填写LM Hash，0填充即可。LM Hash的位置依旧存在，只不过没有价值。</p>
<p>NTLM Hash计算步骤：</p>
<ol>
<li>转16进制</li>
<li>Unicode编码，就是加00</li>
<li>使用MD4对Unicode进行hash</li>
</ol>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python -c <span class="string">&#x27;import hashlib,binascii; print binascii.hexlify(hashlib.new(&quot;md4&quot;, &quot;p@Assword!123&quot;.encode(&quot;utf-16le&quot;)).digest())&#x27;</span></span><br></pre></td></tr></table></figure>



<h1 id="NTLM身份认证"><a href="#NTLM身份认证" class="headerlink" title="NTLM身份认证"></a>NTLM身份认证</h1><p>分为本地认证和网络认证</p>
<h2 id="本地认证"><a href="#本地认证" class="headerlink" title="本地认证"></a>本地认证</h2><p>Windows在保存密码的时候，保存的不是密码的明文，而是密码的hash。</p>
<p>保存的位置：<code>%SystemRoot%\system32\config\sam</code></p>
<p>SAM文件中保留了计算机本地所有用户的凭证信息，可以理解为是一个数据库</p>
<p><img src="/2022/05/23/NTML/image-20220523145537700.png" alt="image-20220523145537700"></p>
<p>当登陆的时候，系统读SAM文件中内容与输入的比较，相同则认证成功。</p>
<p>认证流程：<code>winlogon.exe --&gt; 用户输入 --&gt; lsass.exe（认证）</code></p>
<p>用户注销、重启、锁屏后，系统会让<code>winlogon.exe</code>显示登陆界面，之后用户输入，得到输入后交给lsass进程，将明文加密为NTLM后，与SAM中的内容进行比较。</p>
<p>lsass：用于微软Windows系统的安全机制，用于本地安全和登陆策略。</p>
<h2 id="网络认证"><a href="#网络认证" class="headerlink" title="网络认证"></a>网络认证</h2><p>上面是本地认证，下面这里来写网络认证。</p>
<p>NTLM是一种网络认证协议，它是基于挑战（Challenge）&#x2F;响应（Response）认证机制的一种认证模式。这个协议只支持Windows。</p>
<p>由三种消息组成，即三步：</p>
<ol>
<li>协商type1：协商确定协议版本，重要的是用户名</li>
<li>质询type2：挑战&#x2F;响应起作用的范畴，重要的是challenge，服务端生成</li>
<li>身份验证type3：质询完成后的验证，重要的是response，客户端生成，又称为<code>Net NTLM Hash</code>，用户NTLM Hash计算challenge的结果</li>
</ol>
<p>在工作组中完整流程：</p>
<ol>
<li><p>用户名&#x2F;密码登陆客户端</p>
</li>
<li><p>客户端将密码进行hash存储，丢弃密码明文。客户端发送协商消息type1(NEGOTIATE)，包含客户端支持和服务端请求的功能列表，请求还包含用户名、机器以及需要使用的安全服务等信息。</p>
</li>
<li><p>服务端使用type2(质询)消息进行响应，包含服务端支持和同意的功能列表。其中最重要的是服务端生成的challenge，即服务端随机生成的16位随机数。</p>
</li>
<li><p>客户端收到上述响应后，发送type3(验证)消息。用户收到上述响应后，使用用户NTLM Hash加密challenge，得到response，发送的验证消息包含[response，username，challenge]。</p>
<p>这里NTLM Hash计算challenge的结果在网络协议中成为<code>Net NTLM Hash</code>。</p>
</li>
<li><p>服务端拿到type3(验证)消息后，服务端使用用户的NTLM Hash加密challenge，得到response1，将其与客户端发送的response进行比较验证。</p>
</li>
</ol>
<p>上述是在工作组中的流程，下面是在域中的流程，前4步是一样的，只有最后一步不一样，分为两步：</p>
<ol start="5">
<li>服务端拿到type3(验证)消息后，服务端使用用户的NTLM Hash(如果服务端有的话)加密challenge，得到response1，将其与客户端发送的response进行比较验证。如果服务端本地没有该用户NTLM Hash的话，也就计算不了response1，这时服务端使用netlogon协议联系域控，建立好安全通道后，将type1,type2,type3一起发送给域控(这个过程也叫作Pass Through Authentication认证流程)</li>
<li>域控使用challenge和用户NTLM Hash计算并与response比较验证。</li>
</ol>
<h2 id="三个过程"><a href="#三个过程" class="headerlink" title="三个过程"></a>三个过程</h2><h3 id="协商type1"><a href="#协商type1" class="headerlink" title="协商type1"></a>协商type1</h3><p>每个字段的含义见微软文档：<a target="_blank" rel="noopener" href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b34032e5-3aae-4bc6-84c3-c6d80eadf7f2">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b34032e5-3aae-4bc6-84c3-c6d80eadf7f2</a></p>
<table>
<thead>
<tr>
<th align="left">字段</th>
<th align="left">含义</th>
</tr>
</thead>
<tbody><tr>
<td align="left">Signature</td>
<td align="left">签名，一个 8 字节字符数组，必须包含 ASCII 字符串（’N’、’T’、’L’、’M’、’S’、’S’、’P’、’\0 ‘）</td>
</tr>
<tr>
<td align="left">MessageType</td>
<td align="left">消息类型，必须为0x00000001</td>
</tr>
<tr>
<td align="left">NegotiateFlags</td>
<td align="left">包含一组<strong>NEGOTIATE</strong>结构</td>
</tr>
<tr>
<td align="left">DomainNameFields</td>
<td align="left">包含域名信息字段。</td>
</tr>
<tr>
<td align="left">WorkstationFields</td>
<td align="left">包含<strong>WorkstationName</strong>信息字段</td>
</tr>
<tr>
<td align="left">Version</td>
<td align="left">版本</td>
</tr>
<tr>
<td align="left">Payload (variable)</td>
<td align="left"></td>
</tr>
</tbody></table>
<h3 id="质询type2"><a href="#质询type2" class="headerlink" title="质询type2"></a>质询type2</h3><p>详细字段信息见微软文档：<a target="_blank" rel="noopener" href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/801a4681-8809-4be9-ab0d-61dcfe762786">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/801a4681-8809-4be9-ab0d-61dcfe762786</a></p>
<p>质询的信息重要的就是服务端产生的challenge</p>
<table>
<thead>
<tr>
<th>字段</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>Signature</td>
<td>签名，同上</td>
</tr>
<tr>
<td>MessageType</td>
<td>消息类型，必须为0x00000002</td>
</tr>
<tr>
<td>TargetNameFields</td>
<td>包含<strong>TargetName</strong>信息的字段</td>
</tr>
<tr>
<td>NegotiateFlags</td>
<td>包含一组<strong>NEGOTIATE</strong>结构</td>
</tr>
<tr>
<td>ServerChallenge</td>
<td>包含NTLM质询的8字节</td>
</tr>
<tr>
<td>Reserved</td>
<td>一个 8 字节数组，其元素在发送时必须为零，并且在接收时必须被忽略。</td>
</tr>
<tr>
<td>TargetInfoFields</td>
<td>包含<strong>TargetInfo</strong>信息的字段</td>
</tr>
<tr>
<td>Version</td>
<td>版本</td>
</tr>
<tr>
<td>Payload (variable)</td>
<td></td>
</tr>
</tbody></table>
<p>示例：</p>
<p><img src="/2022/05/23/NTML/t017f0ae4b36b11e5ae.png" alt="img"></p>
<h3 id="身份验证type3"><a href="#身份验证type3" class="headerlink" title="身份验证type3"></a>身份验证type3</h3><p>详细字段信息见微软文档：<a target="_blank" rel="noopener" href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/033d32cc-88f9-4483-9bf2-b273055038ce">https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/033d32cc-88f9-4483-9bf2-b273055038ce</a></p>
<table>
<thead>
<tr>
<th>字段</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>Signature</td>
<td>签名，同上</td>
</tr>
<tr>
<td>MessageType</td>
<td>消息类型，必须为0x00000003</td>
</tr>
<tr>
<td>LmChallengeResponseFields</td>
<td>包含<strong>LmChallengeResponse</strong>信息的字段</td>
</tr>
<tr>
<td>NtChallengeResponseFields</td>
<td>包含<strong>NtChallengeResponse</strong>信息的字段</td>
</tr>
<tr>
<td>DomainNameFields</td>
<td>包含<strong>DomainName</strong>信息的字段</td>
</tr>
<tr>
<td>UserNameFields</td>
<td>包含<strong>UserName</strong> 信息的字段</td>
</tr>
<tr>
<td>WorkstationFields</td>
<td>包含<strong>Workstation</strong>信息的字段</td>
</tr>
<tr>
<td>EncryptedRandomSessionKeyFields</td>
<td>包含<strong>EncryptedRandomSessionKey</strong>信息的字段</td>
</tr>
<tr>
<td>NegotiateFlags</td>
<td></td>
</tr>
<tr>
<td>Version</td>
<td></td>
</tr>
<tr>
<td>MIC (16 bytes)</td>
<td>NTLM NEGOTIATE_MESSAGE、CHALLENGE_MESSAGE 和 AUTHENTICATE_MESSAGE 的消息完整性</td>
</tr>
<tr>
<td>Payload (variable)</td>
<td></td>
</tr>
</tbody></table>
<h1 id="NTLM-v1-x2F-v2协议"><a href="#NTLM-v1-x2F-v2协议" class="headerlink" title="NTLM v1&#x2F;v2协议"></a>NTLM v1&#x2F;v2协议</h1><h2 id="NTLM与NTLM-v1-x2F-v2与Net-NTLM-v1-x2F-v2区别"><a href="#NTLM与NTLM-v1-x2F-v2与Net-NTLM-v1-x2F-v2区别" class="headerlink" title="NTLM与NTLM v1&#x2F;v2与Net NTLM v1&#x2F;v2区别"></a>NTLM与NTLM v1&#x2F;v2与Net NTLM v1&#x2F;v2区别</h2><p>首先是NTLM，就是最上面的那个，例子：<code>AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0</code></p>
<p>而<code>NTLM v1/v2</code>与NTLM不一样，<code>NTLM v1/v2</code>是<code>Net NTLM v1/v2</code>的缩写，也就是说他俩才是一回事。Net NTLM用于网络身份验证，就是上面那个challenge&#x2F;response认证的那个，下面举个NTLM v2的例子，来源<a target="_blank" rel="noopener" href="https://hashcat.net/wiki/doku.php?id=example_hashes">hashcat</a>：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030 </span><br></pre></td></tr></table></figure>



<h2 id="NTLM-v1-x2F-v2"><a href="#NTLM-v1-x2F-v2" class="headerlink" title="NTLM v1&#x2F;v2"></a>NTLM v1&#x2F;v2</h2><p>NTLM v2是在Windows NT4.0 SP4中引入的，与NTLM v1的区别是challenge和hash算法不同，相同点是使用的都是NTLM Hash</p>
<ul>
<li>challenge<ul>
<li>NTLM v1：8byte</li>
<li>NTLM v2：16byte</li>
</ul>
</li>
<li>Net NTLM Hash<ul>
<li>v1：DES</li>
<li>v2：HMAC-MD5</li>
</ul>
</li>
</ul>
<p>NTLM  v1格式：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username::hostname:LM response:NTLM response:challenge</span><br></pre></td></tr></table></figure>

<p>NTML v2格式：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username::domain:challenge:HMAC-MD5:blob</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"># NTLM</span><br><span class="line"></span><br><span class="line">C = 8-byte server challenge, random</span><br><span class="line">K1 | K2 | K3 = NTLM-Hash | 5-bytes-0</span><br><span class="line">response = DES(K1,C) | DES(K2,C) | DES(K3,C)</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"># NTLM v2</span><br><span class="line"></span><br><span class="line">SC = 8-byte server challenge, random</span><br><span class="line">CC = 8-byte client challenge, random</span><br><span class="line">CC* = (X, time, CC2, domain name)</span><br><span class="line">v2-Hash = HMAC-MD5(NT-Hash, user name, domain name)</span><br><span class="line">LMv2 = HMAC-MD5(v2-Hash, SC, CC)</span><br><span class="line">NTv2 = HMAC-MD5(v2-Hash, SC, CC*)</span><br><span class="line">response = LMv2 | CC | NTv2 | CC*</span><br></pre></td></tr></table></figure>

<h2 id="Response提取NTLM-v2"><a href="#Response提取NTLM-v2" class="headerlink" title="Response提取NTLM v2"></a>Response提取NTLM v2</h2><p>这里就不搭建了，使用的<a target="_blank" rel="noopener" href="https://3gstudent.github.io/Windows%E4%B8%8B%E7%9A%84%E5%AF%86%E7%A0%81hash-NTLM-hash%E5%92%8CNet-NTLM-hash%E4%BB%8B%E7%BB%8D">3gstudent师傅</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">Server</span><br><span class="line">	IP:192.168.62.139</span><br><span class="line">	username:a</span><br><span class="line">	password:test123</span><br><span class="line">Client</span><br><span class="line">	IP:192.168.62.130</span><br></pre></td></tr></table></figure>

<p>客户端连接服务端：</p>
<p><code>net use \\192.168.52.139 /u:a test123</code></p>
<p>抓包：</p>
<p><img src="/2022/05/23/NTML/2-3.png" alt="Alt text"></p>
<p>前4个对应的就是NTLM认证的几个步骤，第二个查看数据包，其中的challenge：<code>c0b5429111f9c5f4</code></p>
<p><img src="/2022/05/23/NTML/2-4.png" alt="Alt text"></p>
<p>查看第三个数据包得到客户端加密的challenge：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">challenge:a9134eee81ca25de</span><br><span class="line"></span><br><span class="line">response:a5f1c47844e5b3b9c6f67736a2e1916d:0101000000000000669dae86ba8bd301a9134eee81ca25de0000000002001e00570049004e002d003100550041004200430047004200470049005500330001001e00570049004e002d003100550041004200430047004200470049005500330004001e00570049004e002d003100550041004200430047004200470049005500330003001e00570049004e002d003100550041004200430047004200470049005500330007000800669dae86ba8bd30106000400020000000800300030000000000000000000000000300000e9d9e613613097d1e2f47c1fd97fa099f65dfd78075d8bdb5ca162492ea5d2990a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00360032002e00310033003900000000000000000000000000</span><br></pre></td></tr></table></figure>

<p><img src="/2022/05/23/NTML/2-5.png" alt="Alt text"></p>
<p>其中NTLM v2格式：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">username::domain:challenge:HMAC-MD5:blob</span><br></pre></td></tr></table></figure>

<ul>
<li><p>domain可由数据包获得</p>
</li>
<li><p>HMAC-MD5对应数据包中的NTProofStr，见上图。</p>
</li>
<li><p>blob对应数据包中Response去掉NTProofStr的后半部分</p>
</li>
</ul>
<p>完整NTLM v2的数据：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a::192.168.62.139:c0b5429111f9c5f4:a5f1c47844e5b3b9c6f67736a2e1916d:0101000000000000669dae86ba8bd301a9134eee81ca25de0000000002001e00570049004e002d003100550041004200430047004200470049005500330001001e00570049004e002d003100550041004200430047004200470049005500330004001e00570049004e002d003100550041004200430047004200470049005500330003001e00570049004e002d003100550041004200430047004200470049005500330007000800669dae86ba8bd30106000400020000000800300030000000000000000000000000300000e9d9e613613097d1e2f47c1fd97fa099f65dfd78075d8bdb5ca162492ea5d2990a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00360032002e00310033003900000000000000000000000000</span><br></pre></td></tr></table></figure>

<p>可以使用Hashcat对该Net-NTLM hash进行破解</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hashcat -m 5600 a::192.168.62.139:c0b5429111f9c5f4:a5f1c47844e5b3b9c6f67736a2e1916d:0101000000000000669dae86ba8bd301a9134eee81ca25de0000000002001e00570049004e002d003100550041004200430047004200470049005500330001001e00570049004e002d003100550041004200430047004200470049005500330004001e00570049004e002d003100550041004200430047004200470049005500330003001e00570049004e002d003100550041004200430047004200470049005500330007000800669dae86ba8bd30106000400020000000800300030000000000000000000000000300000e9d9e613613097d1e2f47c1fd97fa099f65dfd78075d8bdb5ca162492ea5d2990a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00360032002e00310033003900000000000000000000000000 /tmp/password.list -o found.txt --force</span><br></pre></td></tr></table></figure>

<p>参数：</p>
<ul>
<li>-m：hash-type，其中Net NTLM v2对应5600</li>
<li>-o：输出文件</li>
<li>-force：强制执行</li>
</ul>
<h1 id="SSP-amp-SSPI"><a href="#SSP-amp-SSPI" class="headerlink" title="SSP &amp;SSPI"></a>SSP &amp;SSPI</h1><p><img src="/2022/05/23/NTML/6308e85c-09ca-4a40-9c2b-3e310e1f2a69.jpg" alt="img"></p>
<p>SSPI(Security Support Provider Interface)：这是 Windows 定义的一套接口，此接口定义了与安全有关的功能函数， 用来获得验证、信息完整性、信息隐私等安全功能，就是定义了一套接口函数用来身份验证，签名等，但是没有具体的实现。</p>
<p>SSP(Security Support Provider)：SSPI 的实现者，对SSPI相关功能函数的具体实现。微软自己实现了如下的 SSP，用于提供安全功能：</p>
<ul>
<li>NTLM SSP ( Challenge&#x2F;Response 验证机制 )</li>
<li>Kerberos ( 基于 ticket 的身份验证机制 )</li>
<li>Cred SSP (CredSSP 凭据安全支持提供程序 )</li>
<li>Digest SSP (摘要式安全支持提供程序)</li>
<li>Negotiate SSP(协商安全支持提供程序)</li>
<li>Schannel SSP</li>
<li>Negotiate Extensions SSP</li>
<li>PKU2U SSP</li>
</ul>
<p>系统层面，SSP其实就是一个dll，来实现身份验证等安全功能。NTLM是基于Challenge&#x2F;Response机制，Kerberos是基于ticket的身份验证。所以，我们也可以实现自己的SSP，让系统实现更多的身份验证方法，Mimikatz就自己实现了一个利用SSP机制的记录密码。</p>
<p>抓包的时候可以看到啊NTLMSSp是在GSSAPI下面的。</p>
<blockquote>
<p>  <strong>因为sspi是gssapi的变体，这里出现gssapi是为了兼容。注册为SSP的好处就是，SSP实现了了与安全有关的功能函数，那上层协议(比如SMB)在进行身份认证等功能的时候，就可以不用考虑协议细节，只需要调用相关的函数即可。而认证过程中的流量嵌入在上层协议里面。不像kerbreos，既可以镶嵌在上层协议里面，也可以作为独立的应用层协议。ntlm是只能镶嵌在上层协议里面，消息的传输依赖于使用ntlm的上层协议。</strong></p>
</blockquote>
<h1 id="引用"><a href="#引用" class="headerlink" title="引用"></a>引用</h1><blockquote>
<p>  <a target="_blank" rel="noopener" href="https://daiker.gitbook.io/windows-protocol/ntlm-pian/4">https://daiker.gitbook.io/windows-protocol/ntlm-pian/4</a></p>
<p>  <a target="_blank" rel="noopener" href="https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html">https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html</a></p>
<p>  <a target="_blank" rel="noopener" href="http://davenport.sourceforge.net/ntlm.html">http://davenport.sourceforge.net/ntlm.html</a></p>
<p>  <a target="_blank" rel="noopener" href="https://1sparrow.com/2019/12/04/Windows%20%E8%BA%AB%E4%BB%BD%E9%AA%8C%E8%AF%81%E4%BD%93%E7%B3%BB%E7%BB%93%E6%9E%84/">https://1sparrow.com/2019/12/04/Windows%20%E8%BA%AB%E4%BB%BD%E9%AA%8C%E8%AF%81%E4%BD%93%E7%B3%BB%E7%BB%93%E6%9E%84/</a></p>
<p>  <a target="_blank" rel="noopener" href="https://atsud0.me/2022/03/07/%E3%80%90%E5%9F%9F%E6%B8%97%E9%80%8F%E3%80%91%E6%B5%85%E6%B7%A1NTLM-%E5%86%85%E7%BD%91%E5%B0%8F%E7%99%BD%E7%9A%84NTLM%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/">https://atsud0.me/2022/03/07/%E3%80%90%E5%9F%9F%E6%B8%97%E9%80%8F%E3%80%91%E6%B5%85%E6%B7%A1NTLM-%E5%86%85%E7%BD%91%E5%B0%8F%E7%99%BD%E7%9A%84NTLM%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/</a></p>
</blockquote>

                                                                    </div>
                                                                    
                                                                        <div class="prev-or-next">
                                                                            <div class="post-foot-next">
                                                                                
                                                                                    <a href="/2022/05/15/%E5%9F%9F%E5%A7%94%E6%B4%BE/" target="_self">
                                                                                        <i class="iconfont icon-chevronleft"></i>
                                                                                        <span>Prev</span>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                            <div class="post-attach">
                                                                                <!-- <span class="post-pubtime">
              <i class="iconfont icon-updatetime" title="Update time"></i>
              2022-05-23
            </span> -->

                                                                                
                                                                                            <span class="post-categories">
          <!-- <i class="iconfont icon-bookmark" title="Categories"></i> -->
          
          <!-- <span class="span--category">
            <a href="/categories/Technology/" title="Technology">
              <b>#</b> Technology
            </a>
          </span> -->
                                                                                            
                                                                                                </span>
                                                                                                
                                                                                    <span class="post-tags">
          <!-- <i class="iconfont icon-tags" title="Tags"></i> -->
          
          <!-- <span class="span--tag">
            <a href="/tags/%E5%86%85%E7%BD%91/" title="内网">
              <b>#</b> 内网
            </a>
          </span> -->
                                                                                    
                                                                                        </span>
                                                                                        
                                                                            </div>
                                                                            <div class="post-foot-prev">
                                                                                
                                                                                    <a href="/2022/05/25/Powershell/" target="_self">
                                                                                        <span>Next</span>
                                                                                        <i class="iconfont icon-chevronright"></i>
                                                                                    </a>
                                                                                    
                                                                            </div>
                                                                        </div>
                                                                        
                                                                </div>
                                                                
  <div id="btn-catalog" class="btn-catalog">
    <i class="iconfont icon-catalog"></i>
  </div>
  <div class="post-catalog hidden" id="catalog">
    <div class="title">Contents</div>
    <div class="catalog-content">
      
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#LM-hash-amp-NTLM-hash"><span class="toc-text">LM hash &amp; NTLM hash</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#LM-Hash"><span class="toc-text">LM Hash</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#NTLM-Hash"><span class="toc-text">NTLM Hash</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#NTLM%E8%BA%AB%E4%BB%BD%E8%AE%A4%E8%AF%81"><span class="toc-text">NTLM身份认证</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%9C%AC%E5%9C%B0%E8%AE%A4%E8%AF%81"><span class="toc-text">本地认证</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E7%BD%91%E7%BB%9C%E8%AE%A4%E8%AF%81"><span class="toc-text">网络认证</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E4%B8%89%E4%B8%AA%E8%BF%87%E7%A8%8B"><span class="toc-text">三个过程</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%8D%8F%E5%95%86type1"><span class="toc-text">协商type1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%B4%A8%E8%AF%A2type2"><span class="toc-text">质询type2</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E8%BA%AB%E4%BB%BD%E9%AA%8C%E8%AF%81type3"><span class="toc-text">身份验证type3</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#NTLM-v1-x2F-v2%E5%8D%8F%E8%AE%AE"><span class="toc-text">NTLM v1&#x2F;v2协议</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#NTLM%E4%B8%8ENTLM-v1-x2F-v2%E4%B8%8ENet-NTLM-v1-x2F-v2%E5%8C%BA%E5%88%AB"><span class="toc-text">NTLM与NTLM v1&#x2F;v2与Net NTLM v1&#x2F;v2区别</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#NTLM-v1-x2F-v2"><span class="toc-text">NTLM v1&#x2F;v2</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Response%E6%8F%90%E5%8F%96NTLM-v2"><span class="toc-text">Response提取NTLM v2</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#SSP-amp-SSPI"><span class="toc-text">SSP &amp;SSPI</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#%E5%BC%95%E7%94%A8"><span class="toc-text">引用</span></a></li></ol>
      
    </div>
  </div>

  
<script src="/js/catalog.js"></script>




                                                                    
                                                                        <div class="comments-container">
                                                                            







                                                                        </div>
                                                                        
                                                            </div>
                                                            
        
<div class="footer">
  <div class="social">
    <ul>
      
        <li>
          <a title="github" target="_blank" rel="noopener" href="https://github.com/Ghostasky">
            <i class="iconfont icon-github"></i>
          </a>
        </li>
      
        <li>
          <a title="twitter" target="_blank" rel="noopener" href="https://twitter.com/ghostasky">
            <i class="iconfont icon-twitter"></i>
          </a>
        </li>
      
    </ul>
  </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/Ghostasky">怕什么真理无穷，进一寸有进一寸的欢喜。</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Copyright © 2022 Oranges</a>
        
    </div>
  
    
    <div class="footer-more">
      
        <a target="_blank" rel="noopener" href="https://github.com/zchengsite/hexo-theme-oranges">Theme by Oranges | Powered by Hexo</a>
        
    </div>
  
</div>

      </div>

      <div class="tools-bar">
        <div class="back-to-top tools-bar-item hidden">
  <a href="javascript: void(0)">
    <i class="iconfont icon-chevronup"></i>
  </a>
</div>


<script src="/js/backtotop.js"></script>



        
  <div class="search-icon tools-bar-item" id="search-icon">
    <a href="javascript: void(0)">
      <i class="iconfont icon-search"></i>
    </a>
  </div>

  <div class="search-overlay hidden">
    <div class="search-content" tabindex="0">
      <div class="search-title">
        <span class="search-icon-input">
          <a href="javascript: void(0)">
            <i class="iconfont icon-search"></i>
          </a>
        </span>
        
          <input type="text" class="search-input" id="search-input" placeholder="Search...">
        
        <span class="search-close-icon" id="search-close-icon">
          <a href="javascript: void(0)">
            <i class="iconfont icon-close"></i>
          </a>
        </span>
      </div>
      <div class="search-result" id="search-result"></div>
    </div>
  </div>

  <script type="text/javascript">
    var inputArea = document.querySelector("#search-input")
    var searchOverlayArea = document.querySelector(".search-overlay")

    inputArea.onclick = function() {
      getSearchFile()
      this.onclick = null
    }

    inputArea.onkeydown = function() {
      if(event.keyCode == 13)
        return false
    }

    function openOrHideSearchContent() {
      let isHidden = searchOverlayArea.classList.contains('hidden')
      if (isHidden) {
        searchOverlayArea.classList.remove('hidden')
        document.body.classList.add('hidden')
        // inputArea.focus()
      } else {
        searchOverlayArea.classList.add('hidden')
        document.body.classList.remove('hidden')
      }
    }

    function blurSearchContent(e) {
      if (e.target === searchOverlayArea) {
        openOrHideSearchContent()
      }
    }

    document.querySelector("#search-icon").addEventListener("click", openOrHideSearchContent, false)
    document.querySelector("#search-close-icon").addEventListener("click", openOrHideSearchContent, false)
    searchOverlayArea.addEventListener("click", blurSearchContent, false)

    var searchFunc = function (path, search_id, content_id) {
      'use strict';
      var $input = document.getElementById(search_id);
      var $resultContent = document.getElementById(content_id);
      $resultContent.innerHTML = "<ul><span class='local-search-empty'>First search, index file loading, please wait...<span></ul>";
      $.ajax({
        // 0x01. load xml file
        url: path,
        dataType: "xml",
        success: function (xmlResponse) {
          // 0x02. parse xml file
          var datas = $("entry", xmlResponse).map(function () {
            return {
              title: $("title", this).text(),
              content: $("content", this).text(),
              url: $("url", this).text()
            };
          }).get();
          $resultContent.innerHTML = "";

          $input.addEventListener('input', function () {
            // 0x03. parse query to keywords list
            var str = '<ul class=\"search-result-list\">';
            var keywords = this.value.trim().toLowerCase().split(/[\s\-]+/);
            $resultContent.innerHTML = "";
            if (this.value.trim().length <= 0) {
              return;
            }
            // 0x04. perform local searching
            datas.forEach(function (data) {
              var isMatch = true;
              var content_index = [];
              if (!data.title || data.title.trim() === '') {
                data.title = "Untitled";
              }
              var orig_data_title = data.title.trim();
              var data_title = orig_data_title.toLowerCase();
              var orig_data_content = data.content.trim().replace(/<[^>]+>/g, "");
              var data_content = orig_data_content.toLowerCase();
              var data_url = data.url;
              var index_title = -1;
              var index_content = -1;
              var first_occur = -1;
              // only match artiles with not empty contents
              if (data_content !== '') {
                keywords.forEach(function (keyword, i) {
                  index_title = data_title.indexOf(keyword);
                  index_content = data_content.indexOf(keyword);

                  if (index_title < 0 && index_content < 0) {
                    isMatch = false;
                  } else {
                    if (index_content < 0) {
                      index_content = 0;
                    }
                    if (i == 0) {
                      first_occur = index_content;
                    }
                    // content_index.push({index_content:index_content, keyword_len:keyword_len});
                  }
                });
              } else {
                isMatch = false;
              }
              // 0x05. show search results
              if (isMatch) {
                str += "<li><a href='" + data_url + "' class='search-result-title'>" + orig_data_title + "</a>";
                var content = orig_data_content;
                if (first_occur >= 0) {
                  // cut out 100 characters
                  var start = first_occur - 20;
                  var end = first_occur + 80;

                  if (start < 0) {
                    start = 0;
                  }

                  if (start == 0) {
                    end = 100;
                  }

                  if (end > content.length) {
                    end = content.length;
                  }

                  var match_content = content.substr(start, end);

                  // highlight all keywords
                  keywords.forEach(function (keyword) {
                    var regS = new RegExp(keyword, "gi");
                    match_content = match_content.replace(regS, "<span class=\"search-keyword\">" + keyword + "</span>");
                  });

                  str += "<p class=\"search-result-abstract\">" + match_content + "...</p>"
                }
                str += "</li>";
              }
            });
            str += "</ul>";
            if (str.indexOf('<li>') === -1) {
              return $resultContent.innerHTML = "<ul><span class='local-search-empty'>No result<span></ul>";
            }
            $resultContent.innerHTML = str;
          });
        },
        error: function(xhr, status, error) {
          $resultContent.innerHTML = ""
          if (xhr.status === 404) {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The search.xml file was not found, please refer to：<a href='https://github.com/zchengsite/hexo-theme-oranges#configuration' target='_black'>configuration</a><span></ul>";
          } else {
            $resultContent.innerHTML = "<ul><span class='local-search-empty'>The request failed, Try to refresh the page or try again later.<span></ul>";
          }
        }
      });
      $(document).on('click', '#search-close-icon', function() {
        $('#search-input').val('');
        $('#search-result').html('');
      });
    }

    var getSearchFile = function() {
        var path = "/search.xml";
        searchFunc(path, 'search-input', 'search-result');
    }
  </script>




        
  <div class="tools-bar-item theme-icon" id="switch-color-scheme">
    <a href="javascript: void(0)">
      <i id="theme-icon" class="iconfont icon-moon"></i>
    </a>
  </div>

  
<script src="/js/colorscheme.js"></script>





        
  
    <div class="share-icon tools-bar-item">
      <a href="javascript: void(0)" id="share-icon">
        <i class="iconfont iconshare"></i>
      </a>
      <div class="share-content hidden">
        
          <a class="share-item" href="https://twitter.com/intent/tweet?text=' + NTLM%E8%AE%A4%E8%AF%81 + '&url=' + https%3A%2F%2Fghostasky.github.io%2F2022%2F05%2F23%2FNTML%2F + '" target="_blank" title="Twitter">
            <i class="iconfont icon-twitter"></i>
          </a>
        
        
          <a class="share-item" href="https://www.facebook.com/sharer.php?u=https://ghostasky.github.io/2022/05/23/NTML/" target="_blank" title="Facebook">
            <i class="iconfont icon-facebooksquare"></i>
          </a>
        
      </div>
    </div>
  
  
<script src="/js/shares.js"></script>



      </div>
    </div>
  </body>
</html>
